US10607025B2 - Access control through data structures - Google Patents
Access control through data structures Download PDFInfo
- Publication number
- US10607025B2 US10607025B2 US15/267,116 US201615267116A US10607025B2 US 10607025 B2 US10607025 B2 US 10607025B2 US 201615267116 A US201615267116 A US 201615267116A US 10607025 B2 US10607025 B2 US 10607025B2
- Authority
- US
- United States
- Prior art keywords
- node
- user
- access
- record
- data structure
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active, expires
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6227—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database where protection concerns the structure of data, e.g. records, types, queries
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/604—Tools and structures for managing or administering access control systems
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1097—Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/088—Usage controlling of secret information, e.g. techniques for restricting cryptographic keys to pre-authorized uses, different access levels, validity of crypto-period, different key- or password length, or different strong and weak cryptographic algorithms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0891—Revocation or update of secret information, e.g. encryption key update or rekeying
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0894—Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Definitions
- the present disclosure generally pertains to the storage of data, and in particular to storing and controlling access to data through a data structure.
- Processes that are external to the stored data are heavily relied upon to protect the data. For example, processes may require that users provide authentication information (e.g., user name and password) to be able to access stored data. However, these processes are susceptible to security breach and entities may find ways to access the data without permission. Since the processes are external to the data, it is not possible to make attestations that the data has not been accessed or modified by unauthorized entities.
- a data structure is described herein that relies on cryptographic principles to store data items (e.g., documents, images, videos, etc.) and control access to the stored data items.
- data items e.g., documents, images, videos, etc.
- a data storage system initiates a data structure by creating a root node.
- the data storage system includes at least one record node in the data structure for each data item that is part of the data structure.
- Each record node is connected to the root node directly or indirectly through one or more record nodes.
- a record node includes the associated data item along with an input and an output.
- the input is a hash digest of the parent node directly connected to the record node.
- the output is a public key of a user that has ownership rights to the node.
- a user has ownership rights to a record node, it signifies that the user can add a data item that is directly linked to the record node.
- a record node includes a document.
- the output of the record node may include the public key of a user that is to make revisions to the document.
- the output of a record node includes constraints, different or in addition to a public key, that indicate ownership rights of the record node.
- the output may include one or more public keys, business logic, executable code, or any combination of the aforementioned to indicate ownership rights of the record node.
- the data storage system creates a new access node as a child of the node that granted the user access.
- the new node includes an input that is a hash digest of the parent node that granted the user access.
- the new node also include data indicating that the access rights of the user associated with the public key have been revoked.
- the data storage system determines whether the user has access rights to the data structure. To determine whether the user has access rights to the data structure, the data storage system identifies a digital signature included with the request. The digital signature is created using the user's private key. The data storage system additionally identifies the access nodes in the data structure that include a hash digest of the root node as an input and have no child node. The identified access nodes are the access nodes of the users that currently have access rights to the data structure. If the data storage system is able to verify the digital signature using an output public key of one of the identified access nodes, the data storage system determines that the user has access rights to the data structure and provides the data item to the user.
- the data storage system determines whether the user has ownership rights to the record node. The data storage system determines that the user has ownership rights to the record node if it is able to verify a digital signature included with the request using an output public key of the record node. If the data storage system determines that the user has ownership rights to the record node, the data storage system creates a new record node as a child of the record node to which the user has ownership rights. The new record node includes the data item.
- FIGS. 2A-2E illustrate examples of a data structure in accordance with one embodiment.
- FIG. 3 is a block diagram of a data storage system in accordance with one embodiment.
- FIG. 4 is a flow chart illustrating a process for providing a user access rights to a data structure in accordance with one embodiment.
- FIG. 5 is a flow chart illustrating a process for accessing information of a data structure in accordance with one embodiment.
- FIG. 6 is a flow chart illustrating a process for processing a request to store a data item in association with a data structure in accordance with one embodiment.
- FIG. 7 is a flow chart illustrating a process for revoking a user's access rights to a data structure in accordance with one embodiment.
- FIG. 8 is a block diagram illustrating a functional view of a computer system in accordance with one embodiment.
- FIG. 1 is a block diagram of a data storage environment 100 in accordance with one embodiment.
- the data storage environment 100 includes client devices 102 A, 102 B, and 102 C and a data storage system 104 connected via a network 106 .
- client devices 102 A, 102 B, and 102 C are client devices 102 A, 102 B, and 102 C and a data storage system 104 connected via a network 106 .
- the illustrated environment 100 includes only a select number of each entity, other embodiments can include more or less of each entity (e.g., additional client devices 102 ).
- FIG. 1 and the other figures use like reference numerals to identify like elements.
- the network 106 represents the communication pathways between the client devices 102 and the data storage system 104 .
- the network 106 is the Internet and uses standard communications technologies and/or protocols.
- the network 106 can also utilize dedicated, custom, or private communications links that are not necessarily part of the Internet.
- the network 106 may comprise any combination of local area and/or wide area networks, using wired and/or wireless communication systems.
- information exchanged via the network 106 is encrypted and decrypted using cryptographic keys of the senders and the intended recipients.
- a client device 102 is a device used by a user to communicate with the data storage system 104 .
- a client device 102 may be, for example, a personal computer, smart phone, tablet computer, or personal digital assistant (PDA).
- PDA personal digital assistant
- a client device 102 stores a cryptographic key pair of a user.
- the cryptographic key pair includes a public key that can disseminated freely and a private key known specifically by the user. Both the public key and the private key are related to each other.
- a user communicates with the data storage system 104 to store data items with the system 104 and access data items stored by the system 104 .
- the client device 102 transmits a request to store or access a data item
- the client device 102 includes with the request a digital signature generated using the user's private key.
- the digital signature is used by the data storage system 104 to verify that the user has authority to store or access the data item.
- the data storage system 104 is a computer system that stores data items and controls access to the data items through data structures, according to the embodiments explained herein.
- the data storage system 104 stores multiple data structures.
- Each data structure includes data that allows specific users to access data items that are part of the data structure and allows the users to store data items in association with the data structure.
- a data item is a collection of data or a portion of a collection of data.
- a data item may be a document, an image, a video, a presentation, an audio file, etc.
- a data structure includes a root node which is the genesis of the data structure.
- the root node includes the public key of the administrator of the data structure.
- An administrator is a user that has control over which users are given access to the data structure.
- the data structure further includes an access node for each user granted access rights to the data structure.
- An access node granting a user access rights to the data structure is directly connected to the root node as a child node.
- the access node includes an input that is a hash digest of the root node, an output that is the public key of the user granted access rights, and data indicating the user associated with the public key has been granted access rights to the data structure.
- a user with access rights to the data structure can access each data item that is part of the data structure and can also store a data item in association with the data structure.
- a hash digest is the result of a one-way cryptographic hash function applied to data, which is designed to make inversion infeasible.
- the hash function may be, for example, a SHA-256 hash function.
- the data structure includes an additional access node directly connected to the access node that gave the user access rights to the data structure.
- the additional access node is a child of the access node that gave the user access rights.
- the additional access node includes an input which is a hash digest of the access node that gave the user access rights.
- the additional access node includes an output which is a public key of the administrator that revoked the user's access rights and also includes data indicating that the access rights of the user have been revoked.
- the data structure also includes a record node for each data item that is part of the data structure.
- Each record node is linked to the root node directly or indirectly through one or more record nodes.
- a record node includes an input, an output, and the data item of the node.
- the input is a hash digest of the parent node that is directly connected to the record node.
- the output is a public key of the user that has been given ownership rights to the record node.
- a user with ownership rights to a record node can add a data item directly linked to the record node.
- Linking record nodes in the data structures allows the data structure to include information on the relationships between data items. For example, the record nodes of different versions of a data item may be linked in the data structure.
- a node e.g., root node, access node, and record node
- a node is a basic unit of a data structure.
- FIGS. 2A-2E illustrate examples of a data structure 200 in accordance with one embodiment.
- FIG. 2A illustrates the data structure 200 including root node 202 , access node 204 , access node 206 .
- the root node 202 includes the public key of the administrator that initiated the creation of the data structure 200 .
- Access node 204 provides a first user with access rights to the data structure 200 and access node 206 provides a second user with access right to the data structure 200 .
- the data storage system 104 creates access nodes 204 and 206 at the request of the administrator.
- Access node 204 includes an input that is a hash digest of the root node 202 , an output that is a public key of the first user, and data indicating that the first user associated with the public key has access to the data structure 200 .
- Access node 206 includes an input that is a hash digest of the root node 202 , an output that is a public key of the second user, and data indicating that the second user associated with the public key has access to the data structure 200 .
- FIG. 2B illustrates a record node 208 added to the data structure 200 by the data storage system 104 at the request of the administrator.
- the record node 202 includes an input that is a hash digest of the root node 202 , an output that is the public key of the first user, and a first version of a first data item. Since record node 208 includes the first user's public key as an output, the first user has ownership rights to the record node 208 and can add a data item directly linked to the record node 208 . The second user cannot add a data item linked to the record node 202 since the second user's public key is not included as an output of the record node 208 .
- the second user could access the first version of the first data item.
- the data storage system 104 determines that the second user can access the first version of the first data item because the system 104 is able to verify a digital signature provided by the second user using the output public key of one of the access nodes 204 or 206 . In this example, data storage system 104 would verify the digital signature using the public key of the second user included in access node 206 . After verifying that the second user has access rights to the data structure, the data storage system 104 provides to the second user the first version of the first data item. If a third user, who has not been given access rights to the data structure, requests to access the first version of the first data item, the data storage system 104 will deny the request because access nodes 204 and 206 do not include the third user's public key.
- FIG. 2C illustrates recorded node 210 added by the data storage system 104 to the data structure 200 with the second version of the first data item and connected to record node 208 .
- Record node 210 includes an input that is a hash digest of record node 208 and an output that is the public key of the second user.
- the second user has been given ownership rights to record node 210 and can add a data item directly linked to record node 210 .
- FIG. 2D illustrates record node 212 added to the data structure by the data storage system 104 at the request of the administrator.
- the record node 212 includes an input that is a hash digest of the root node 202 , an output that is the public key of the second user, and a first version of a second data item. Since the output has the public key of the second user, the second user has ownership rights to record node 212 and can add a data item linked to record node 212 (e.g., a second version of the second data item).
- the data storage system 104 revokes the first user's access right by adding an access node 214 to the data structure 200 .
- the access node 214 is directly connected to access node 204 as a child node.
- Access node 214 includes an input that is a hash digest of access node 204 , an output that is the public key of the administrator, and data that indicates that the first user no longer has access rights to the data structure 200 . Since access node 204 now has a child node (access node 214 ), access node 204 will not be considered by the data storage system 104 in determining access rights to the data structure 200 .
- the data storage system 104 will determine whether the first user has access rights to the data structure by identifying a digital signature included by the first user with the request and by identifying access nodes in the data structure that have no child node. In the example of FIG. 2E , the data storage system 104 will only identify access node 206 . The data storage system 104 determines that the first user is not able to access the data structure because the data storage system 104 is not able to verify the first user's digital signature using the public key of the second user included in access node 206 as an output. The data storage system 104 denies the first user's request since the first user no longer has access rights to the data structure.
- each node that is directly connected to the root node is part of a different cryptographic node lineage.
- a first node lineage includes root node 202 , record node 208 , and record node 210 .
- a second node lineage includes root node 202 , access node 204 , and access node 214 .
- a third node lineage includes root node 202 and access node 206 .
- a fourth node lineage includes root node 202 and record node 212 .
- the nodes of each lineage are cryptographically linked from the last node in the lineage to the root node through their deterministic inputs.
- the input of record node 208 is a hash digest of root node 202 .
- the input of record node 210 is a hash digest of record node 208 .
- the nodes of a lineage are cryptographically linked by each node of the lineage including an input that is a hash digest of the parent node directly connected to it.
- each node lineage including nodes that are cryptographically linked, it provides proof of integrity for the data stored by the data structure.
- Proof of integrity for a cryptographic lineage can be provided by recalculating the hash digest for each input of the nodes that are part of the lineage. If the input hash digest calculated for a node does not match the input included in the data structure for the node, the data storage system 104 can determine that one or more nodes in the lineage have been altered. Returning to the example of FIG. 2E , assume that at some later time the data storage system 104 recalculates the input of record node 208 by hashing root node 202 .
- the data storage system 104 determines that the root node 202 has been altered.
- the data storage system 104 may also recalculate the input of record node 210 in addition or instead of the input of record node 208 .
- the data storage system 104 recalculates the input by hashing record node 208 . If the recalculated input does not match the input of record node 210 , the data storage system 104 determines that record node 208 and/or the root node 202 have been altered.
- the data that is used to control access to data items i.e., the access nodes
- the data that is used to control access to data items is included within the same data structure as the data items.
- FIG. 2E shows access node 204 , 206 , and 214 as part of the same structure 200 as record nodes 208 , 210 , and 212 .
- the data storage system 104 does not have to rely on external systems or data structures to control access to the data items that are part of the data structure.
- FIG. 3 is a block diagram illustrating components of the data storage system 104 in accordance with one embodiment.
- the data storage system 104 includes a data structure storage 302 , a creation module 304 , a permission module 306 , a verification module 308 , a storage module 310 , and an access module 312 .
- Those of skill in the art will recognize that other embodiments of the interface system 104 can have different and/or other components than the ones described here, and that functionalities can be distributed among components in a different manner.
- the data structure storage 302 stores data structures. Each data structure includes data items along with cryptographic information that is used to control user access of the data items and storage of data items in association with the data structure. As described in more detail below, a data structure includes a record node for each data item that is part of the data structure. Additionally, the data structure includes an access node for each user that has rights to access the data items that are part of the data structure and can store data items in association with the data structure.
- the creation module 304 processes user requests to create new data structures.
- a user may request to create a new data structure when the user desires for specific users to have access to certain data items. For example, a user may create a new data structure in order to include data items that are specific to a group within a company and for members of the group to be able to access the data items.
- the data storage system 104 determines whether the user can request the creation of new data structures. In one embodiment, every user of the data storage system 104 can request the creation of new data structures. In another embodiment, specific users of the data storage system 104 have authority to create new data structures.
- the creation module 304 maintains the public keys of the users that have authority to create new data structures.
- the request made by the user includes a digital signature generated by the user's client device 102 using the user's private key. If the creation module 304 is able to verify the digital signature using one of the maintained public keys, the creation module 304 determines that the user is authorized to create a new data structure.
- the creation module 304 determines that the user is authorized to create a new data structure, the creation module 304 generates a root node in the data structure storage 302 .
- the root node is the genesis of the data structure.
- the user is the administrator of the data structure and the user's public key is included in the root node.
- An administrator of a data structure has control over which users have access rights to the data structure.
- the creation module 304 also includes in the root node information that identifies the data structure (e.g., a numeric identifier).
- the permission module 306 provides and revokes users' access rights to data structures.
- the user when a user has access rights to a data structure, the user can access each data item that is part of the data structure and can store new data items in association with the data structure. For example, returning to FIG. 2D , under this embodiment, the first user and the second can access the data items associated with record nodes 208 , 210 , and 212 because the users have access rights to the data structure 200 through access nodes 204 and 206 .
- the user when a user has access rights to a data structure, the user can only access data items of the data structure whose respective record nodes include the user's public key as an output. For example returning to FIG.
- the first user would be able to access the data item associated with record node 208 because record node 208 includes the first user's public key as an output.
- the second user would be able to access the content items associated with record nodes 210 and 212 because they include the second user's public key as an output.
- the permission module 306 determines whether the user of the client device 102 that initiated the request is an administrator of the data structure. To determine whether the user is an administrator, the permission module 306 identifies a digital signature included with the request. The digital signature is generated by the client device 102 using the user's private key. The permission module 306 additionally identifies the root node of the data structure in the data structure storage 302 . If the permission module 306 is able to verify the digital signature using a public key included in the root node, the permission module 306 determines that the user is an administrator of the data structure.
- the permission module 306 creates an access node in the data structure connected directly to the root node as a child node.
- the permission module 306 includes in the access node an input that is a hash digest of the root node, an output that is a public key of the user being granted access rights, and data that indicates that the user associated with the public key has access rights to the data structure.
- the public key of the user being granted access rights is provided to the permission module 306 in the request made by the administrator.
- different or additional information may be included as the output to indicate the user granted access rights, such as one or more public keys, business logic, executable code, or any combination of the aforementioned.
- the permission module 306 when a user is added by the creation module 304 as an administrator of a data structure, the permission module 306 automatically creates an access node directly connected to the root node to provide the administrator with access rights to the data structure.
- the permission module 306 includes in the access node an input that is a hash digest of the root node, an output that is a public key of the administrator, and data that indicates that the user associated with the public key has access rights to the data structure.
- the permission module 306 determines whether the user of the client device 102 initiating the request is an administrator of the data structure. Similar to above, the permission module 306 determines whether the user is an administrator based on a digital signature included with the request and one or more public key included in the root node of the data structure in the data structure storage 302 .
- the permission module 306 identifies from the administrator's request the public key of the user whose access rights are being revoked.
- the permission module 306 identifies in the data structure an access node that includes the public key as an output of the access node.
- the permission module 306 creates a new access node directly connected to the identified access node as a child node.
- the permission module 306 generates a hash digest of the identified access node and includes the generated hash digest in the new access node as an input.
- the permission module 306 also includes in the new access node an output that is the public key of the administrator and data that indicates the access rights of the user have been revoked. By connecting the new child access node to the identified access node, the user's access rights are revoked.
- the verification module 308 determines whether users have access rights to data structures. Upon request from the storage module 310 or the access module 312 , the verification module 308 determines whether a user has access rights to a data structure. The request includes an identifier of the data structure and a digital signature generated by the user's client device 102 using the user's private key.
- the verification module 308 identifies in the data structure storage 302 the access nodes of the data structure that have no child node. In one embodiment, the verification module 308 also verifies that the identified nodes include an input that is a hash digest of the root node of the data structure. Each of the identified access nodes includes a public key as an output. If the verification module 308 is able to verify the digital signature using the output public key of one of the identified access nodes, the verification module 308 determines that the user has access rights to the data structure. If the verification module 308 is not able to verify the digital signature using the output public key of one of the identified access nodes, the verification module 308 determines that the user does not have access rights to the data structure. The verification module 308 notifies the storage module 310 or the access module 312 that made the request of its determination as to whether the user has access rights to the data structure.
- the storage module 310 processes user requests to store data items in association with data structures.
- a request is received by the data storage system 104 from a user's client device 102 to store a data item in association with a data structure
- the storage module 310 determines which node of the data structure the request indicates the that the data item is to be directly linked to in the data structure.
- the request indicates the node by including a hash digest of the node. If the request indicates that the data item be directly linked to the root node, the storage module 310 requests that the verification module 308 determine whether the user has access rights to the data structure and provides to the verification module 308 the information of the request received from the client device 102 .
- the storage module 310 transmits a notification to the client device 102 denying the request. However, if the verification module 308 determines that the user has access rights to the data structure, the storage module 310 creates a record node directly connected to the root node of the data structure as a child node. By creating a record node directly connected to the root node, the storage module 310 is creating a new node lineage for the data structure. A node lineage is a path of nodes in the data structure from the root node to a node with no child nodes.
- the storage module 310 includes in the created record node the data item that the user requested be stored. In another embodiment, instead of including the data item, a pointer to a location where the data item is stored is included in the record node. The storage module 310 generates a hash digest of the root node and includes the hash digest in the record node as an input. Additionally, the storage module 310 determines from the request received from the client device 102 , the public key of the user that is to have ownership rights to the record node. The storage module 310 includes the public key in the record node as an output.
- the storage module 310 includes multiple outputs in the record node, each output for a different public key.
- a user with ownership rights to a record node can add a data item in the data structure directly linked to the record node.
- different or additional information is included as the output to indicate the one or more users that have ownership rights to a record node.
- the information included may be, for example, one or more public keys, business logic, executable code, or any combination of the aforementioned.
- a user with access rights to the data structure can store data items directly linked to the root node.
- the user may or may not be an administrator. However, in other embodiments only administrators of the data structure can store data items directly linked to the root node.
- the storage module 310 verifies that a user is an administrator before creating a record node.
- the storage module 310 determines whether the user has ownership rights to the record node that would allow for the storage of a data item that is directly linked to the record node. To determine whether the user has ownership rights to the record node, the storage module 310 identifies the digital signature included with the request. Additionally, the storage module 310 identifies the record node of the data structure in the data structure storage 302 . If the storage module 310 is able to verify the digital signature using a public key included in the record node as an output, the storage module 310 determines that the user has ownership rights to the record node.
- the storage module 310 transmits a notification to the client device 102 indicating that the request has been denied. However, if is determined that the user has ownership rights to the record node, the storage module 310 requests that the verification module 308 determine whether the user has access rights to the data structure (e.g., verify that the user's access rights to the data structure have not been revoked).
- the storage module 310 transmits a notification to the client device 102 indicating that the request has been denied.
- the storage module 310 creates a record node directly connected to the record node identified by the request received from the client device 102 .
- the created record node is a child node of the record node identified by the request.
- the storage module 310 includes in the created record node the data item that the user requested be stored. In another embodiment, instead of including the data item, a pointer to a location where the data item is stored is included in the record node.
- the storage module 310 generates a hash digest of the record node identified by the request and includes the hash digest in the created record node. Additionally, the storage module 310 determines from the request received from the client device 102 , the public key of the user that is to have ownership rights to the record node. The storage module 310 includes the public key in the record node as an output. If the request received from the client device 102 includes the public keys of multiple users that are to have ownership rights to the record node, the storage module 310 includes in the record node multiple outputs, each output for a different public key.
- the access module 312 provides users with access to data items of data structures. When a request is received by the data storage system 104 from a user's client device 102 to view the data items that are part of a data structure, the access module 312 forwards information of the request to the verification module 308 and requests that the verification module 308 determine whether the user has access rights to the data structure.
- the storage module 310 transmits a notification to the client device 102 indicating that the request has been denied.
- the access module 312 identifies the record nodes of the data structure in the data structure storage 302 .
- the verification module 308 transmits to the client device 102 information to display representations of the record nodes.
- the representation of each record node indicates the data item associated with the record node and includes an identifier of the record node that can be used to request access to the data item.
- the identifier is a hash digest of the record node.
- the identifier is the input of the record node.
- the access module 312 verifies that the verification module 308 has already determined that the user has access rights to the data structure. If the verification module 308 has not already determined that the user has access rights to the data structure, the access module 312 requests that the verification module 308 make a determination. If the user has access rights to the data structure, the access module 312 identifies the identifier of the record node included in the request. The access module 312 identifies the record node in the data structure storage 302 based on the identifier. The access module 312 transmits the data item included in the record node to the client device 102 .
- the access module 312 uses the pointer to retrieve the data item and transmits the data item to the client device 102 . In another embodiment, the access module 312 transmits the data item to the client device 102 only if the record node includes an output that is a public key of the user.
- FIG. 4 is a flow chart illustrating a process 400 for providing a user access rights to a data structure in accordance with one embodiment.
- the data structure includes a root node and multiple record nodes including data items. Additionally, for this example assume that only an administrator of the data structure can request that access rights be granted to the data structure.
- the data storage system 104 receives 402 from a client device 102 a request to provide a user access rights to the data structure.
- the request includes a digital signature generated by the client device 102 using a private key of a user of the client device 102 that initiated the request.
- the request also includes the public key of the user for which access rights are being requested.
- the data storage system 104 identifies 404 a public key included in the root node of the data structure.
- the public key is associated with the administrator of the data structure.
- the data storage system 104 determines 406 the request was initiated by the administrator of the data structure by verifying the digital signature using the public key.
- the data storage system 104 creates 408 an access node directly connected to the root node based on determining that the request was initiated by the administrator.
- the access node includes an input that is a hash digest of the root node and output that is a public key of the user for which access rights were requested.
- the access node also includes data that indicates the user associated with the public key of the output has access rights to the data structure. The creation of the access node provides the user access rights to the data structure.
- FIG. 5 is a flow chart illustrating a process 500 for accessing information of a data structure in accordance with one embodiment. Assume for purposes of this example that the data structure includes a root node, access nodes granting users access rights to the data structure, and record nodes including data items.
- the data storage system 104 receives 502 a request from a user's client device 102 to access information associated with the data structure.
- the request includes a digital signature generated using the user's private key.
- the data storage system 104 verifies 504 that the user has access rights to the data structure.
- the data storage system 104 verifies that the user has access rights by identifying each access node in the data structure that has no child node. Each identified access node includes a public key as an output.
- the data storage system 104 determines that the user has access rights based on verifying the digital signature using the public key included in one of the identified access nodes.
- the data storage system 104 transmits 506 to the client device 102 information of the record nodes included in the data structure.
- the information includes for each record node the data item associated with the record node and an identifier associated with the record node that can be used to request access to the data item.
- the data storage system 104 receives 508 a request from the client device to access a data item associated with a record node of the data structure.
- the request includes an identifier associated with the record node.
- the data storage system 104 identifies 510 the record node in the data structure based on the identifier.
- the data storage system 104 transmits 512 the data item associated with the record node to the client device 102 .
- FIG. 6 is a flow chart illustrating a process 600 for processing a request to store a data item in association with a data structure in accordance with one embodiment. Assume for purposes of this example that the user making the request has access rights to the data structure.
- the data storage system 104 receives 602 the request from the user's client device 102 .
- the request includes an identifier of a record node of the data structure to which the data item is to be directly linked.
- the request also includes the data item and a digital signature generated by the client device 102 using the user's private key.
- the data storage system 104 identifies 604 the record node in the data structure based on the identifier.
- the identified record node includes an output that is a public key.
- the data storage system 104 determines 606 that the user has ownership rights to the record node by verifying the digital signature using the output public key.
- the data storage system 104 creates 608 a record node in the data structure directly connected to the identified record node based on determining that the user has ownership rights to the record node.
- the created record node includes the data item. Additionally, the created record node includes an input that is a hash digest of the identified record node.
- the created record node also includes the public key of the user that has ownership rights to the created record node. In one embodiment, request includes the public key of the user that is to have ownership rights.
- FIG. 7 is a flow chart illustrating a process 700 for revoking a user's access rights to a data structure in accordance with one embodiment.
- the data structure includes an access node directly connected to the root node of the data structure and that the access node includes a public key of the user as an output.
- the access node does not include a child node.
- only an administrator of the data structure can request to revoke a user's access rights.
- the data storage system 104 receives 702 a request from a client device 102 to revoke the user's access rights.
- the request includes the public key of the user whose access rights are to be revoked.
- the request also includes a digital signature generated using the private key of a user that initiated the request.
- the data storage system 104 identifies 704 a public key included in the root node of the data structure.
- the public key is associated with the administrator of the data structure.
- the data storage system 104 determines 706 the request was initiated by the administrator of the data structure by verifying the digital signature using the public key.
- FIG. 8 is a block diagram illustrating a functional view of a computer system 800 for use as one of the systems illustrated in the environment 100 of FIG. 1 in accordance with one embodiment. Illustrated are at least one processor 802 coupled to a chipset 804 . Also coupled to the chipset 804 are a memory 806 , a storage device 808 , a keyboard 810 , a graphics adapter 812 , a pointing device 814 , and a network adapter 816 . A display 818 is coupled to the graphics adapter 812 . In one embodiment, the functionality of the chipset 804 is provided by a memory controller hub 820 and an I/O controller hub 822 . In another embodiment, the memory 806 is coupled directly to the processor 802 instead of the chipset 804 .
- the storage device 808 is a non-transitory computer-readable storage medium, such as a hard drive, compact disk read-only memory (CD-ROM), DVD, or a solid-state memory device.
- the memory 806 holds instructions and data used by the processor 802 .
- the pointing device 814 may be a mouse, track ball, or other type of pointing device, and is used in combination with the keyboard 810 to input data into the computer system 800 .
- the graphics adapter 812 displays images and other information on the display 818 .
- the network adapter 816 couples the computer system 800 to the network 106 . Some embodiments of the computer system 800 have different and/or other components than those shown in FIG. 8 .
- the computer 800 is adapted to execute the modules of FIG. 3 and the processes of FIG. 4-7 for providing the functionality described herein.
- the term “module” to refers to computer program instruction and other logic for providing a specified functionality.
- a module can be implemented in hardware, firmware, and/or software.
- a module is typically stored on the storage device 808 , loaded into the memory 806 , and executed by the processor 802 .
- a module can include one or more processes, and/or be provided by only part of a process.
- Embodiments of the entities described herein can include other and/or different modules than the ones described here.
- the functionality attributed to the modules can be performed by other or different modules in other embodiments.
- this description occasionally omits the term “module” for purposes of clarity and convenience.
- the types of computer systems 800 used by the systems of FIG. 1 can vary depending upon the embodiment and the processing power used by the entity.
- a client device 102 such as a mobile phone typically has limited processing power and a small display 818 .
- the data storage system 104 may comprise multiple blade servers working together to provide the functionality described herein.
- Certain aspects disclosed herein include process steps and instructions described herein in the form of a method. It should be noted that the process steps and instructions described herein can be embodied in software, firmware or hardware, and when embodied in software, can be downloaded to reside on and be operated from different platforms used by a variety of operating systems.
- This apparatus may be specially constructed for the required purposes, or it may comprise a general-purpose computer selectively activated or reconfigured by a computer program stored in the computer.
- a computer program may be stored in a non-transitory computer readable storage medium, such as, but is not limited to, any type of disk including floppy disks, optical disks, CD-ROMs, magnetic-optical disks, read-only memories (ROMs), random access memories (RAMs), EPROMs, EEPROMs, magnetic or optical cards, application specific integrated circuits (ASICs), or any type of media suitable for storing electronic instructions, and each coupled to a computer system bus.
- the computers referred to in the specification may include a single processor or may be architectures employing multiple processor designs for increased computing capability.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Health & Medical Sciences (AREA)
- Physics & Mathematics (AREA)
- Software Systems (AREA)
- General Physics & Mathematics (AREA)
- Bioethics (AREA)
- Health & Medical Sciences (AREA)
- Databases & Information Systems (AREA)
- Computing Systems (AREA)
- Automation & Control Theory (AREA)
- Storage Device Security (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
Description
Claims (11)
Priority Applications (5)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US15/267,116 US10607025B2 (en) | 2016-09-15 | 2016-09-15 | Access control through data structures |
PCT/US2017/050048 WO2018052754A1 (en) | 2016-09-15 | 2017-09-05 | Access control through data structures |
EP17851326.3A EP3513299A4 (en) | 2016-09-15 | 2017-09-05 | Access control through data structures |
JP2019514069A JP2019530332A (en) | 2016-09-15 | 2017-09-05 | Access control through data structures |
SG11201901737TA SG11201901737TA (en) | 2016-09-15 | 2017-09-05 | Access control through data structures |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US15/267,116 US10607025B2 (en) | 2016-09-15 | 2016-09-15 | Access control through data structures |
Publications (2)
Publication Number | Publication Date |
---|---|
US20180075252A1 US20180075252A1 (en) | 2018-03-15 |
US10607025B2 true US10607025B2 (en) | 2020-03-31 |
Family
ID=61560639
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US15/267,116 Active 2037-10-01 US10607025B2 (en) | 2016-09-15 | 2016-09-15 | Access control through data structures |
Country Status (5)
Country | Link |
---|---|
US (1) | US10607025B2 (en) |
EP (1) | EP3513299A4 (en) |
JP (1) | JP2019530332A (en) |
SG (1) | SG11201901737TA (en) |
WO (1) | WO2018052754A1 (en) |
Families Citing this family (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111310145B (en) * | 2020-03-06 | 2023-02-21 | 抖音视界有限公司 | User right verification method and device and electronic equipment |
JP7388707B2 (en) | 2020-03-11 | 2023-11-29 | Zerobillbank Japan株式会社 | Information processing device, information processing system, information processing method, and program |
US20220067186A1 (en) * | 2020-09-02 | 2022-03-03 | Cookie.AI, Inc. | Privilege graph-based representation of data access authorizations |
US11818276B1 (en) * | 2022-10-07 | 2023-11-14 | Uab 360 It | Optimized header information to enable access control |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20050114666A1 (en) | 1999-08-06 | 2005-05-26 | Sudia Frank W. | Blocked tree authorization and status systems |
US20080263370A1 (en) * | 2005-09-16 | 2008-10-23 | Koninklijke Philips Electronics, N.V. | Cryptographic Role-Based Access Control |
US8209531B2 (en) | 2004-08-31 | 2012-06-26 | Ntt Docomo, Inc. | Revocation of cryptographic digital certificates |
US8776216B2 (en) | 2005-10-18 | 2014-07-08 | Intertrust Technologies Corporation | Digital rights management engine systems and methods |
US20140201520A1 (en) * | 2010-12-03 | 2014-07-17 | Yacov Yacobi | Attribute-based access-controlled data-storage system |
US8832466B1 (en) | 2006-01-27 | 2014-09-09 | Trustwave Holdings, Inc. | Methods for augmentation and interpretation of data objects |
US9008303B1 (en) * | 2011-12-22 | 2015-04-14 | Emc Corporation | Method and apparatus for generating forward secure pseudorandom numbers |
-
2016
- 2016-09-15 US US15/267,116 patent/US10607025B2/en active Active
-
2017
- 2017-09-05 EP EP17851326.3A patent/EP3513299A4/en not_active Withdrawn
- 2017-09-05 SG SG11201901737TA patent/SG11201901737TA/en unknown
- 2017-09-05 JP JP2019514069A patent/JP2019530332A/en active Pending
- 2017-09-05 WO PCT/US2017/050048 patent/WO2018052754A1/en unknown
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20050114666A1 (en) | 1999-08-06 | 2005-05-26 | Sudia Frank W. | Blocked tree authorization and status systems |
US8209531B2 (en) | 2004-08-31 | 2012-06-26 | Ntt Docomo, Inc. | Revocation of cryptographic digital certificates |
US20080263370A1 (en) * | 2005-09-16 | 2008-10-23 | Koninklijke Philips Electronics, N.V. | Cryptographic Role-Based Access Control |
US8776216B2 (en) | 2005-10-18 | 2014-07-08 | Intertrust Technologies Corporation | Digital rights management engine systems and methods |
US8832466B1 (en) | 2006-01-27 | 2014-09-09 | Trustwave Holdings, Inc. | Methods for augmentation and interpretation of data objects |
US20140201520A1 (en) * | 2010-12-03 | 2014-07-17 | Yacov Yacobi | Attribute-based access-controlled data-storage system |
US9008303B1 (en) * | 2011-12-22 | 2015-04-14 | Emc Corporation | Method and apparatus for generating forward secure pseudorandom numbers |
Non-Patent Citations (2)
Title |
---|
European Patent Office, Extended European Search Report and Opinion, EP Patent Application No. 17851326.3, dated Jan. 29, 2020, six pages. |
PCT International Search Report and Written Opinion, PCT Application No. PCT/US2017/050048, dated Nov. 7, 2017, 22 pages. |
Also Published As
Publication number | Publication date |
---|---|
SG11201901737TA (en) | 2019-04-29 |
US20180075252A1 (en) | 2018-03-15 |
JP2019530332A (en) | 2019-10-17 |
EP3513299A1 (en) | 2019-07-24 |
WO2018052754A1 (en) | 2018-03-22 |
EP3513299A4 (en) | 2020-02-26 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
AU2017219140B2 (en) | Methods and systems for distributing cryptographic data to authenticated recipients | |
US10121018B2 (en) | Secure data synchronization | |
US11196729B2 (en) | Methods and systems for distributing encrypted cryptographic data | |
US9680654B2 (en) | Systems and methods for validated secure data access based on an endorsement provided by a trusted third party | |
US11379771B2 (en) | Management of workflows | |
US20140053252A1 (en) | System and Method for Secure Document Distribution | |
US10607025B2 (en) | Access control through data structures | |
US11943345B2 (en) | Key management method and related device | |
US20200125752A1 (en) | Method and system for anonymous information rights management to allow tracking of downloaded documents without authentication | |
TR2023006911T2 (en) | ENCRYPTED FILE CONTROL |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: PEERNOVA, INC., CALIFORNIA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:RASMUSSEN, ANDREW JAMES;REEL/FRAME:039764/0392 Effective date: 20160915 |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: RESPONSE TO NON-FINAL OFFICE ACTION ENTERED AND FORWARDED TO EXAMINER |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: FINAL REJECTION MAILED |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: NOTICE OF ALLOWANCE MAILED -- APPLICATION RECEIVED IN OFFICE OF PUBLICATIONS |
|
STCF | Information on status: patent grant |
Free format text: PATENTED CASE |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: AWAITING TC RESP., ISSUE FEE NOT PAID |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: PUBLICATIONS -- ISSUE FEE PAYMENT VERIFIED |
|
STCF | Information on status: patent grant |
Free format text: PATENTED CASE |
|
CC | Certificate of correction | ||
MAFP | Maintenance fee payment |
Free format text: PAYMENT OF MAINTENANCE FEE, 4TH YR, SMALL ENTITY (ORIGINAL EVENT CODE: M2551); ENTITY STATUS OF PATENT OWNER: SMALL ENTITY Year of fee payment: 4 |